Check the strength of passwords

A cool application for checking the strength of passwords

del.icio.us Tags: ,
,,,
,,

Advertisements

Open letter to Mr. Phisher

I received a very amusing e-mail today:

Hello,
It is with profound sense of sadness i wrote this email to you. I don’t know how you will find this but you just have to forgive me for not telling you before leaving. I traveled down to United Kingdom Yesterday for a short vacation but unfortunately,i was mugged at a gun point on my way to the hotel i lodged all my money and all other vital documents including my credit card and my cell phone have been stolen by muggers.
I’ve been to the embassy and the Police here but they’re not helping issues at all,Things are difficult here and i don’t know what to do at the moment that why i email to ask if you can lend me £1,500.00 so i can settle the hotel bill and get a returning ticket back home. Please do me this great help and i promise to refund the money as soon as i get back home.
I look forward to your positive response.
Thanks

This coming supposedly coming from the Gmail of a fellow engineer that happens to live in my town and is at 2 degrees of separation from me in the LinkedIn network.

Sorry, Mr. Phisher, I don’t know the guy enough to send the funds, my bad for not being more proactive in extending my network, he was just a step away! (if he really is the one who set the account with his name). It will help your cause if you read the newspapers, for the last few days there have been no flights to or from London, you know, the volcano thing.

I heard stories of people getting similar e-mails from people they know, some of the stories may be more verisimilar even. The would be phishers make good use of the information that can be gathered from social networks to craft these targeted e-mails.

 

Google problems may have bigger problems than people creating accounts to send phishing e-mails.

 

One Password fits all

I recently discussed the problems associated with weak passwords here. Since then, there have been a few cases of hackers publishing stolen passwords form popular sites such as phpbb or the passwords that the conficker worm uses to spread across shares. Some researches report that people often use the same password on many websites making themselves vulnerable to serious attack if the password for a low value website is the same as the one used in a high value target

Password selection tips abound and as long as your password has enough entropy, users data is somewhat out of reach of most hackers.

Despite the advice of security gurus, the manifest limitations of the average human brain for generating and remembering more than a few passwords is a physical barrier to a widespread adoption secure practices. Password managers may help to keep your passwords organized. They have functions to generate strong passwords and can connect directly with browsers or e-mail programs.

Another way around is the OpenID network that allow users to have one identity for multiple on-line services. The OpenID protocol is inclusive enough that can work as an Authenticator using biometrics or smart-tokens.  Open ID is still in the adoption phase, not all online services accept it.

Authentication – Part IV Password Protocols

To be useful, passwords need to be transmitted or negotiated between the server and the client.

Transmission of the password in the clear is subjected to eavesdropping and therefore very insecure. The password storage on the servers side must also be protected from the possibility that the file falls on the wrong hands, compromising the security of the system.

There are several constraints to the design of password protections protocols, one of the most important being the limited amount of entropy that user memorized passwords necessarily have. Computation time is another big constraint. Even small delays in the response time can make the difference between a system the user is happy to interact with, and a system in which security features will be disabled for the sake of interactivity.

The key features of a password protection protocol are described below:

  1. The transmission and storage of passwords should be non plain-text equivalent: This means, the protocol should be such that even if an attacker obtains the database containing the password or eavesdrop the exchange between client and server, this will not compromise the security of the exchange.
  2. The protocol must be resistant to replay attack: That is, if an eavesdropper successfully record a login session, the information can not be used to compromise a future (or past) exchange between the Client and the server.
  3. The protocol must be resistant to the Denning-Sacco attack: In this attack, by capturing the session key (not the raw password) the eavesdropper has enough information to successfully mount a brute force attack or at least to successfully impersonate the user.
  4. The protocol must be resistant to active attacks:In these situations the protocol leaks enough information that allows the attacker to impersonate the server to the client, make a guess of the correct password and then, by faking a failure, obtain confirmation from the client when the guessed password is correct.
  5. Protocols that work on the base of zero-knowledge proof of password possession are preferable: Zero-knowledge means that the server does not need to know the password to prove that the client knows the password. Passwords are never stored on the server therefore they cannot be stolen. 

Some protocols encrypt the exchange of information to avoid the plain-text equivalence. Others used a form of asymmetric key exchange (a la Diffie-Helmann) that are generated based on the password but do not leak any information about it.

The following is a list of the some of the commonly used password schemes, classified by its strength:

(adapted from SRP competitive analysis)

Weak (not to be used)

  • Clear-text passwords (such as unsecured telnet, rlogin, etc.)
  • Encoded passwords (HTTP Basic Authentication)
  • Classic challenge-response protocols (HTTP Digest Authentication, Windows NTLM Authentication, APOP, CRAM, CHAP, etc.)
  • One-Time Password schemes based on a human memorable (low entropy) secret (S/Key, OPIE)
  • Kerberos V4

 

Pseudo-Strong (they have known vulnerabilities in some implementations)

Strong

  • Secure Remote Password (SRP) – Developed in 1997 by Wu, is a strong password authentication protocol now widespread among Open Source and commercial products. SRP does not expose passwords to either passive or active network intruders, and it stores passwords as a “non-plaintext-equivalent” one-way hash on the server. SRP is available as part of standard Telnet and FTP implementations, and is being rapidly incorporated into Internet protocols that require strong password authentication.
  • Encrypted Key Exchange(EKE) – Developed by Bellovin & Merritt in 1992 is one of the earliest examples of secure password protocols.
  • Strong Password Exponential Key Exchange (SPEKE) developed by David Jablon . It is licensed by Entrust for their TruePass product.
  • Diffie-Helmann Encrypted Key Exchange (DH-EKE)
  • AMP
  • SNAPI
  • AuthA
  • OKE
  • Variations of all of the above.

 

See also: Authentication – Part I, Part II and Part III.